WyzGuys Tech Talk

The average number of days between a network intrusion and it’s detection by the victim is around 200 days, which is at least 199 days too long. Sooner or later your company will suffer an network intrusion, computer incident, or data breach, in spite of your best efforts to prevent it. The goal is to shorten the time between intrusion and detection.

A recently article on Tech Republic discusses the sort of detective work that a network admin or cybersecurity analyst needs to undertake to make quicker detection happen. A good place to start is in your event logs. What sorts of indicators should you be looking for?

Failed logon attempts – Event IDs 4625, 529-539.

Explicit credentials – Event ID 4648 and/or 552

Privilege changes – Event ID 4728, 4732, 4756.

Suspicious sites – Look for DNS records about connections to sites. If an unusual site or address appears repeatedly, it could indication C2 (command and control) connections.

Of course this process works best when automated, so finding the right tool and budgeting for it is going to be critical to early detection and remediation of a network intrusion. Good luck and good hunting!

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area.
Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP).
As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees.
We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA.
The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.